Tag: Inbound

My question is about security groups/firewalls and protecting a virtual private cloud from the external world. Here is a description of VPC default policy for inbound/outbound traffic (on AWS):

Each security group by default contains an outbound rule that allows access to any IP address. It’s important to note that when an instance sends traffic out, the security group will allow reply traffic to reach the instance, regardless of what inbound rules are configured.

I was wondering if there exists an attack vector where a malicious user tries to circumvent the VPC’s inbound policy (i.e. block all traffic) by tricking it into thinking that the incoming traffic is a “reply” traffic? Does such attack have a name in the literature?

I can also think of a scenario where a target machine T (within a VPC) sends a request to some valid server V, but the malicious user M sends a malicious response to T (tricking it into believing that it comes from V) before T receives the actual response from V, thence circumventing T‘s inbound traffic policy.

If traffic is denied for inbound communication and traffic is huge. Can it be security concern? It can may be ddos attack. Can you please let me know whether denied traffic for inbound communication is security concern or we can ignore it?

A strict interpretation of that rule would seem to prohibit web browsing by PCs on the same LAN as a card processing PC. However, it appears that rule is interpreted in practice as though it says “Restrict inbound and outbound traffic to that which is necessary for the business environment.” Can anyone provide confirmation or clarification?

I’m not trained in Linux, but I think I found the solution to my problem documented, but it is not working as expected. I am NOT an iptables guru, I’m learning as I go.

A Russian IP is trying to hack my network, especially an email server I have running on my network. So I have a port forward of port 25 to the mail server machine. My router is running TomatoUSB – a Linux based router I have root ssh access to.

I’ve tried this command:

iptables -I INPUT -s 45.142.195.5 -j DROP

And

iptables -L -nv

returns a lot of stuff, and now at the very beginning looks like this:

This did not stop the traffic, though, as my email server is still reporting connection attempts from this IP address, so the rule is not dropping anything.

Perhaps the INPUT chain is not where I need to add this? I’m not yet educated on the different chains yet. INPUT intuitively seemed like the right place, but because this is a NAT router, should I really have some sort of rule in the FORWARD chain that can say not to forward to anyone if this is the source address?

Seems like what I want to do should not be difficult, but I’m struggling to figure this one out so far.

How can I configure an inbound rule on a Windows Server 2016 firewall to allow access from a program which is not installed on the server? When searching for a program browse is only offered for locations on the server. Is the path specified for the rule applied to the machine accessing the server? Is it possible to create a rule based only the executable program file name, irrespective of where it is installed on the machine accessing the server?

I’m trying to figure out if we can create an outgoing connection to a inbound node (a node which we are already connected to, but the remote peer has initiated the connection). I know that this does not make much sense since we exchange information to inbound and outbound nodes. However, I have looked at the source code and did not find the code that prevents a node from doing that. Is anyone out there more successful?

This does work. Inbound requests are mapped to from 8181 to 8080 — however, if this system has to perform a rest call to another system on port 8181 — it translates the outbound to 8080. Is there a way to specify inbound 8181 without defining the destination IP? I mean if that’s what I have to do I’ll write a more complex script to do it, but I was hoping there might be an easier way…